Fortnite developer and Google have an Epic spat over vulnerability​​​​​​​

Categories

Fortnite developer Epic is not too pleased with the way in which Google publicly disclosed a security vulnerability with the game’s Android installer.

Rather than pay the 30 percent cut which Google takes from distributing games through its Play Store, Epic decided to bypass the official app store in favour of its own installer.

Sideloading games poses an increased risk to consumers as it bypasses many of Google’s protections. In fact, users have to manually agree to the risks before Android will allow the installation of apps from third-party sources.

Many security experts warned of the potential dangers of Epic distributing Fortnite in this way, especially since many of its players are young and potentially more susceptible to installing fake copies of the game.

Google highlighted a vulnerability that affected the official installer whereby a ‘Man-In-The-Disk’ attack could be carried out. The file would appear legitimate, but the APK would be swapped for modified software that poses a risk just before it’s installed.

When it discovers a bug, Google’s policy is to alert the relevant parties and give them 90 days to fix it before it’s shared with the defense community. If it’s fixed sooner, Google will also share the vulnerability sooner.

Epic fixed the problem the very next day and so Google shared details of its findings. It’s likely Google was eager to share its findings to warn others of the dangers of bypassing the Play Store.

However, Epic was not happy with the disclosure as older – still vulnerable – versions of the Fortnite for Android installer would still be around.

In a comment to Mashable, Epic CEO Tim Sweeney wrote:

“Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google's security analysis efforts are appreciated and benefit the Android platform, however, a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.”

Epic’s installer uses a "private Galaxy Apps API" on Samsung which stores the downloaded file in Android's publicly-accessible external storage. In its bug report, Google notes that “using a private internal storage directory rather than external storage would help avoid this vulnerability."

Given that Samsung's API only checks that the APK being installed matches the package name ‘com.epicgames.fortnite’, a modified copy is able to be swapped in. Even worse, if the fake APK has a targetSdkVersion of 22 (Android 5.1 Lollipop) or lower, then all permissions it asks for at install will be granted without the user's knowledge.

Developer Tech offers the latest app developer news and strategy. We cover topics, including coding, monetisation, billing, marketing and design, within the app development industry. We aim to help developers by providing top-class practical content across many issues.

Founded in 2011, we provide a channel for expert, brands and thought leaders to share content and engage with other industry professionals around the world.